@DTS Engineer thank you. I'll read the article you posted and give it a try. I'll post again if I have any questions.

@DTS Engineer Thank you. I read the documentation provided by Apple engineers. I was able to create the installer successfully and launch the application. However, when I try to connect to the VPN, I get the following error: default 16:53:58.419606+0900 Runetale Saving configuration Runetale with existing signature (null) error 16:53:58.420440+0900 Runetale Failed to save configuration Runetale: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied} error 16:53:58.420474+0900 Runetale Failed to save configuration: Error Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied} error 16:53:58.420407+0900 nehelper Runetale Failed to obtain authorization right for 3: no authorization provided Is there any possible reason for this? The entitlements look like this: App entitlements <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>myteamid.com.runetale.desktop</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>myteamid</string> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>myteamid.com.runetale.desktop</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> NetworkExtension entitlements <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>VH5RTVGP6D.com.runetale.desktop.PacketTunnel</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.developer.team-identifier</key> <string>VH5RTVGP6D</string> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>VH5RTVGP6D.com.runetale.desktop</string> </array> </dict> </plist> And the automation script I'm using looks like this: Due to character limit, I will paste it in the next comment. Sorry. What I am careful about Do not use codesign force Include -systemextension in entitlements Sign other frameworks, resources, etc. Copy the provisionprofile created from the Developer Account Since I am able to install and start the package installer the way it is currently made, I think the cause might be that the provisionprofile isn't set up properly. any idea?

automation package installer script I'm using looks like this: set -euo pipefail APP_NAME="Runetale.app" APP_BUNDLE="build/macos/Build/Products/Release/${APP_NAME}" DEV_ID_APP_CERT="Developer ID Application: MYTEAMID" DEV_ID_INSTALLER_CERT="Developer ID Installer: MYTEAMID" APP_VERSION="1.0.0" APP_BUNDLE_ID="com.runetale.desktop" # Apple credentials for notarization APPLE_ID="" TEAM_ID="" APP_SPECIFIC_PW="" # clean and build rm -rf build flutter clean flutter build macos --release # Ensure the app exists if [ ! -d "$APP_BUNDLE" ]; then echo "Error: $APP_BUNDLE not found. Make sure the app bundle is present." exit 1 fi echo "Starting code signing for $APP_BUNDLE..." # copy Runetale.app codesign -d -vvv build/macos/Build/Products/Release/Runetale.app ditto $APP_BUNDLE $APP_NAME # copy entitlements codesign -d --entitlements Release.entitlements --xml Runetale.app codesign -d --entitlements PacketTunnelRelease.entitlements --xml Runetale.app/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension plutil -convert xml1 PacketTunnelRelease.entitlements plutil -convert xml1 Release.entitlements cat PacketTunnelRelease.entitlements cat Release.entitlements ## IMPORTANT: https://developer.apple.com/forums/thread/737894 # added -systemextension prefix for network extension echo "Adding both entitlements to -systemextension..." update_entitlement_file() { local file="$1" local target="packet-tunnel-provider-systemextension" local original="packet-tunnel-provider" echo "Checking $file..." if grep -q "$target" "$file"; then echo " -> $file already contains $target, skipping replacement." elif grep -q "$original" "$file"; then echo " -> Replacing $original with $target in $file..." sed -i '' "s/$original/$target/g" "$file" echo " -> Replaced $original with $target" else echo " -> No network extension value to update." fi if grep -q "<key>com.apple.security.get-task-allow</key>" "$file"; then echo " -> Removing com.apple.security.get-task-allow block..." sed -i '' '/<key>com.apple.security.get-task-allow<\/key>/{ N /<true\/>/d }' "$file" sed -i '' '/^[[:space:]]*$/d' "$file" echo " -> Removed com.apple.security.get-task-allow" else echo " -> get-task-allow not found." fi } update_entitlement_file "Release.entitlements" update_entitlement_file "PacketTunnelRelease.entitlements" echo "Moving provisionprofile..." # copy provisioning profile cp Runetale_Release.provisionprofile Runetale.app/Contents/embedded.provisionprofile cp Runetale_Desktop_PacketTunnel_Profile.provisionprofile Runetale.app/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension/Contents/embedded.provisionprofile # signing PacketTunnel and App echo "CodeSigning Runetale App with entitlements..." codesign -s "$DEV_ID_APP_CERT" -f --entitlements Release.entitlements --timestamp -o runtime Runetale.app/ codesign -s "$DEV_ID_APP_CERT" -f --entitlements PacketTunnelRelease.entitlements --timestamp -o runtime Runetale.app/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension echo "CodeSigning $APP_NAME with Contents, Resources and Frameworks..." # Contents if compgen -G "$APP_NAME/Contents/MacOS/*" > /dev/null; then for bin in "$APP_NAME/Contents/MacOS/"*; do if [ -f "$bin" ]; then echo " -> Signing $bin" codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" "$bin" fi done fi # Frameworks find "$APP_NAME/Contents/Frameworks" -type f -perm +111 -print0 | while IFS= read -r -d '' bin; do echo "Signing: $bin" codesign --force --timestamp --options runtime --sign "$DEV_ID_APP_CERT" "$bin" done # Resources if [ -f "$APP_NAME/Contents/Resources/runetale" ]; then echo " -> Signing Resources/runetale" codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" "$APP_NAME/Contents/Resources/runetale" fi if [ -f "$APP_NAME/Contents/Resources/runetaled" ]; then echo " -> Signing Resources/runetaled" codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" "$APP_NAME/Contents/Resources/runetaled" fi # Runetale codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" Runetale.app/Contents/MacOS/Runetale echo "Building signed installer package..." # Prepare package root and build the installer .pkg echo "Preparing pkg root for $APP_BUNDLE..." PKG_ROOT="pkg-root" rm -rf "$PKG_ROOT" 2>/dev/null || true mkdir -p "$PKG_ROOT/Applications" # Copy the app into the package root cp -R "$APP_NAME" "$PKG_ROOT/Applications/$APP_NAME" # Create CimponentPlist and set BundleIsRelocatable to false pkgbuild --analyze --root $PKG_ROOT RunetaleComponent.plist /usr/libexec/PlistBuddy -c "Set :0:BundleIsRelocatable false" RunetaleComponent.plist PKG_NAME="Runetale-"$APP_VERSION"-Installer.pkg" # Create package installer pkgbuild --root $PKG_ROOT \ --component-plist RunetaleComponent.plist \ --identifier "$APP_BUNDLE_ID" \ --version "$APP_VERSION" \ --install-location "/" \ --sign "$DEV_ID_INSTALLER_CERT" \ "$PKG_NAME" # Sign the package INSTALLER_NAME=Installer.pkg productsign --sign "$DEV_ID_INSTALLER_CERT" $PKG_NAME $INSTALLER_NAME # Notarize the package xcrun notarytool submit "$INSTALLER_NAME" \ --apple-id "$APPLE_ID" \ --team-id "$TEAM_ID" \ --password "$APP_SPECIFIC_PW" \ --wait xcrun stapler staple "$INSTALLER_NAME" echo "Notarized package built at: $INSTALLER_NAME"

Consecutive posts are not permitted. I noticed something strange. I noticed that a while after creating a provisionprofile used in NetworkExtension, the status was displayed as invalid.

I don't know if the provisionprofile was invalidated, but after installation, when I checked /Applications.Runetale.app, I found that entitlements were not included correctly. The cause seems to be that the priority order of my custom scripts was wrong. Thank you and Apple's engineers for your support.